Current safeguards
- Static export hosted behind Cloudflare CDN and TLS.
- No account passwords, payment data, or cloud project database.
- Image extraction, color conversion, palette files, and ICC signature checks run locally in the browser.
- File size and type restrictions reduce accidental resource exhaustion.
- User-controlled text is rendered as text, not injected as executable HTML.
- Security headers restrict framing, MIME sniffing, permissions, referrers, scripts, connections, and insecure requests.
- Dependencies are checked with TypeScript, ESLint, production builds, and vulnerability audits before release.
What users should do
Keep a trusted browser updated, avoid importing unknown files, verify downloaded data before production use, and keep exported project backups. Browser storage is not a secure secrets vault.
Responsible disclosure
Report a reproducible vulnerability through the Contact page. Include the affected URL, browser, impact, and minimal reproduction steps. Do not access other users’ data, disrupt availability, or publish exploit details before remediation.
No absolute security guarantee
No website can honestly promise to be completely “hacker-proof.” Color Pick applies practical defense-in-depth controls and documents remaining limitations.